Prevent SFTP login

fabian · January 29, 2018, 05:39:03 PM

sounds good. but I would hardcode "wheel" to prevent a lockout of root and a user may add additional groups.

franco · January 29, 2018, 05:41:55 PM

That should make sure of it?

https://github.com/opnsense/core/blob/master/src/etc/rc.subr.d/recover#L34

And all GUI groups are added to the system, so that should all play out as it should.

Cheers,
Franco

fabian · January 29, 2018, 06:07:43 PM

I mean the sshd_config setting should be "AllowdGroups wheel custom_group1 custom_group2" where the default is "admin" as the first custom group so it is as hardened as possible and it will be hard to lockout root without changing the code.

franco · January 29, 2018, 06:15:43 PM

Good point, sure.

But we have to do stuffing in that case:

Setting is on, e.g. "admins":

AllowedGroups wheel admins

(does not support multi-select)

Settings is off:

#AllowedGroups nope

(not restricted as it is now)

Cheers,
Franco

franco · January 31, 2018, 10:21:06 PM

As discussed.... https://github.com/opnsense/core/commit/4cdfe13bc

I don't think this will hit 18.1.1, but 18.1.2 is likely.

Cheers,
Franco

namezero111111 · February 01, 2018, 02:54:22 PM

Awesome; I'm excited about the response :}

Prevent SFTP login

fabian

January 29, 2018, 05:39:03 PM #15

franco

January 29, 2018, 05:41:55 PM #16

fabian

January 29, 2018, 06:07:43 PM #17

franco

January 29, 2018, 06:15:43 PM #18

franco

January 31, 2018, 10:21:06 PM #19

namezero111111

February 01, 2018, 02:54:22 PM #20